chaining hals
play

Chaining HALs ABS 2015 PRELIMINARY HY Research LLC - PowerPoint PPT Presentation

Feb 08, 2024 •268 likes •465 views

Chaining HALs ABS 2015 PRELIMINARY HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC Agenda * Introduction - Why chain a HAL? * Android HAL basics * Overview of chaining a HAL * HAL loader * Exampling:

  1. Chaining HALs ABS 2015 PRELIMINARY HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  2. Agenda * Introduction - Why chain a HAL? * Android HAL basics * Overview of chaining a HAL * HAL loader * Exampling: sensor HAL chaining * Conclusion * Questions HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  3. Why Chain a HAL? * HAL: H ardware A bstraction L ayer * Binary blob to talk to Hardware * Bug work around a binary HAL * Adding features to a binary HAL * Modified Hardware * Prototyping * Reuse of code * Obsolete code HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  4. Android HAL basics * Connects HW to Android * GPS, Sensors, Graphics, Sound * Radio () * HALs offer a place to provide virtual HW * HW specific nature may lead to binary HALs. * HALs are shared ELF objects Uses a well known symbol, HMI HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  5. How does it work? * Subsystem requests a HAL via hw_module_load() (hardware/libhardware) err = hw_get_module(SENSORS_HARDWARE_MODULE_ID, (hw_module_t const**)&module); 1) Search /system/lib/hw and /vendor/lib/hw for a file named MODULE.tag.so. Where: MODULE is a string from the first paramter. tag is a string from system properties: - ro.hardware - ro.poduct.board - ro.board.platform - ro.arch HY Research LLC or fall back of "default" http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  6. How does it work? (con't) 2) If the file exists, the search stops! - Even if it is not valid! - Other combinations not tried. 3) File is opened with dlopen() 4) The HMI symbol is located with dlsym() - HAL_MODULE_INFO_SYM_AS_STR - HAL_MODULE_INFO_SYM HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  7. How does it work? (con't) 5) Basic sanity check. id member of HMI is checked. * After hw_module_load(), HAL specific initialization. * HAL specific information is often overlayed onto the HMI structure. - Sensor HAL adds a get sensors callback HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  8. HAL Chaining Overview * Security folks - Man In the Middle Attack * Implement 2 interfaces: 1) Standard HAL API loadable by Android 2) HAL loading interface like Android. * ELF tap dancing 1) Potentially identical names 2) Track using pointers * File names: 1) Rename and/or move original HAL 2) Place new HAL in old place. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  9. Other chaining * Non Android userland using glibc - LD_PRELOAD - LD_LIBRARY_PATH - Done via the dynamic linker in glibc. - Not supported by bionic HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  10. Example: Sensor HAL * Nothing special. Just easy to demo. * 3 parts - a normal HAL skeleton for sensors - a simplified HAL loader - sensor specific details. * Goal: modify select data coming from the real sensor HAL. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  11. Sensor HAL skeleton * Fulfill Android requirements * Define the HMI structure - Provide an open callback that initializes methods for sensors. - Provide a get_sensor_list() callback returns a list of sensors. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  12. Sensor HAL skeleton static struct hw_module_methods_t chain_sensors_module_methods = { open: chain_open_sensors }; struct sensors_module_t HAL_MODULE_INFO_SYM = { common: { tag: HARDWARE_MODULE_TAG, version_major: 1, version_minor: 0, id: SENSORS_HARDWARE_MODULE_ID, name: "Sensor module", author: "HY Research LLC", methods: &chain_sensors_module_methods, }, get_sensors_list: chain_sensors__get_sensors_list, }; HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  13. Sensor HAL loader * Simplified version of hw_module_loader() * Directly dlopen() the original HAL. No searching. * Use dlsym() to find the pointer to the HMI structure and save it off. - Starting point to find entries into the original HAL. * Gets invoked by the open method of our HAL. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  14. static int chain_open_sensors(const struct hw_module_t* module, const char* id, struct hw_device_t** device) { [Declarations removed/error handlign removed.] ... const char *sym = HAL_MODULE_INFO_SYM_AS_STR; snprintf(old_sensorHAL_path, 2048, "%s/sensors.old.so", "/system/lib/hw"); handle = dlopen(old_sensorHAL_path, RTLD_NOW); ... old_hmi = (struct sensors_module_t *)dlsym(handle, sym); ... if (strcmp(SENSORS_HARDWARE_MODULE_ID, old_hmi->common.id) != 0) { dlclose(handle); return -EINVAL; } ChainHALinfo.old_handle = handle; ChainHALinfo.get_sensors_list = old_hmi->get_sensors_list; old_status = (old_hmi->common.methods->open)(&(old_hmi->common), id, device); old_device = (struct sensors_poll_device_t *)*device; ChainHALinfo.old_poll = old_device->poll; old_device->poll = chain_poll__poll; HY Research LLC return old_status; http://www.hy-research.com/ } Mar 15, 2015 (C) 2015 HY Research LLC

  15. Modifying the data * Replace the sensor HAL specific poll method with our own and save old poll method. * New poll method: - Calls old poll method to acquire the data - Inspects the data for things to modify. - Modify data found. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  16. static int chain_poll__poll(struct sensors_poll_device_t *dev, sensors_event_t* data, int count) { int old_ret; int i; /* Acquire data */ old_ret = ChainHALinfo.old_poll(dev, data, count); /* Modify data if needed */ if (old_ret > 0) { /* There is data! */ for (i = 0; i < old_ret; i++) { if (data[i].type == SENSOR_TYPE_ACCELEROMETER) { data[i].data[0] = -data[i].data[0]; data[i].data[1] = -data[i].data[1]; data[i].data[2] = -data[i].data[2]; } } } HY Research LLC return old_ret; http://www.hy-research.com/ } Mar 15, 2015 (C) 2015 HY Research LLC

  17. Summary * HAL chaining can work around limitations of binary blobs. * HALs are ELF objects with a well known symbol, HMI * To chain a HAL, 2 things needs to happen: 1. The HAL interface for Android needs to be implemented. 2. A HAL loader needs to be written. HY Research LLC http://www.hy-research.com/ Mar 15, 2015 (C) 2015 HY Research LLC

  18. Questions? HY Research LLC http://www.hy-research.com/ Feb 11, 2013 (C) 2013 HY Research LLC

Recommend

Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher

Chaining Operator in Climb Introduction Chaining Operator in Climb Method Chaining jQuery Method Chaining Extended Climb Christopher Chedeau Image Processing Implementation Attempts Dollar macro LRDE Extensions Laboratoire de

554 views • 42 slides
Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of

Using first order logic (Ch. 9) Backward chaining Backward chaining is almost the opposite of forward chaining (and eliminating irrelevancy) You try all sentences that are of the form: , and try to find a way to satisfy P1, P2, ... recursively

753 views • 41 slides
Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR

Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR

26 September 2018. Getting Personal: Contemporary practice in personal injury/medical negligence Occupation. Oc Meani Me ning ng. . Pu Purpose. KA KATYA HALS LSALL LL DI DIRECTOR What is on the menu Being in suitable work is good

441 views • 17 slides
Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent

Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent

Additives for polyolefins: chemistry involved and innovative effects Mara Destro Intelligent packaging; session number7733 Outline of Presentation Weatherability of HALS in LLDPE Film and Impact of PPA on the Performance of HALS Oxygen

594 views • 37 slides
Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project? Small Footprint RTOS Truly Open Source Cross Architecture As small as 8KB Apache 2.0 License ARM Enables Hosted by Linux

340 views • 16 slides
Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda

Priority queues Hash tables chaining Priority queue ADT Binary heap March 13, 2020 Cinda Heeren / Andy Roth / Geoffrey Tien 1 Separate chaining Separate chaining takes a different approach to collisions Each entry in the hash table

470 views • 26 slides
Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key

Blockchain (Bitcoin) Four ideas Hash chaining Unalterable history Public key cryptography Signatures Addition/Subtraction General ledger Notarization Proof of validity Hash chaining Enigma machine Enigma rotors

477 views • 27 slides
Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7,

Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7,

Functional Chaining System in ICN Phil Brown Fujitsu Laboratories of America, Inc. December 7, 2016 Functional Chaining demo setup 2 Routing optimization 3 In-network caching 4 Whole-chain security /video_compression/

237 views • 10 slides
The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of

The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of

The generalized TSP and trip chaining IWSSSCM3 John Gunnar Carlsson Epstein Department of Industrial and Systems Engineering, University of Southern California January 7, 2016 John Gunnar Carlsson, USC ISE GTSP and trip chaining January 7,

896 views • 45 slides
Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC

Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC

Container service chaining Martin ual INTRO AGENDA ETSI NFV MANO IETF SFC Existing solutions Container service chaining solution Demo 2 ETSI NFV Management and Orchestration (MANO) 3 NFV MANO MANO ARCHITECTURE 4

1.15k views • 45 slides
Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin,

Compromising the macOS Kernel through Safari by Chaining Six Vulnerabilities Yonghwi Jin, Jungwon Lim, Insu Yun, and Taesoo Kim Georgia Institute of Technology #BHUSA @BLACKHATEVENTS One of the best information Who are we? security labs in

870 views • 58 slides
Virtual Topologies for Service Chaining in BGP IP MPLS VPNs

Virtual Topologies for Service Chaining in BGP IP MPLS VPNs

Virtual Topologies for Service Chaining in BGP IP MPLS VPNs (dra?-rfernando-l3vpn-service-chaning-03) Dhananjaya Rao Rex Fernando Luyuan Fang

353 views • 8 slides
Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the

Chaining Anchors Page 53 Transform the World So When Do You Use Chains? Use Chaining Anchors when the undesired state and the desired state are too far apart. Usually when the undesired state is a stuck state where there is no

596 views • 8 slides
Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Objectives Electronic Code Book Cipher Block Chaining Output Boolean functions

Modes of Operation of Block Ciphers Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Electronic Code Book Cipher Block Chaining

183 views • 16 slides
Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments

Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments

Lecture 3: Inversion and Chaining Disclaimer: In this lecture, we drop the names of the judgments eph and pers , as it is clear form the context, which formula is index how. Full linear logic contains a rich set of connectives for building

333 views • 14 slides
Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6

Collision Resolution by Chaining 0 U ( universe of keys) k 1 k 4 k 1 k 4 K k 2 k 5 k 2 k 6 (actual k 6 k 5 keys) k 7 k 8 k 3 k 7 k 3 k 8 m 1 Expected Cost of an Search Theorem: An unsuccessful search takes expected time (1+). Proof

466 views • 33 slides
Service Function Chaining (SFC) and Network Slicing in Backhaul and Metro Networks in Support of

Service Function Chaining (SFC) and Network Slicing in Backhaul and Metro Networks in Support of

Service Function Chaining (SFC) and Network Slicing in Backhaul and Metro Networks in Support of 5G Adrian Farrel : Old Dog Consulting The research leading to these results has received funding from the European Commission for the

294 views • 16 slides
Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing?

Overview Intro to Hashing Intro to Hashing Hashing with Chaining Whats hashing? Distribute key/value pairs across bins with a hash function , Hashing Performance Hashing (Application of Probability) which maps elements from

497 views • 3 slides
Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal

Advanced Algorithms COMS31900 Hashing part one Chaining, true randomness and universal hashing Rapha el Clifford Slides by Benjamin Sach and Markus Jalsenius Dictionaries In a dictionary data structure we store ( key , value ) -pairs

1.56k views • 98 slides
a chaining algorithm for online non parametric regression Pierre Gaillard December 2, 2015

a chaining algorithm for online non parametric regression Pierre Gaillard December 2, 2015

a chaining algorithm for online non parametric regression Pierre Gaillard December 2, 2015 University of Copenhagen This is joint work with Sebastien Gerchinovitz table of contents 1. Online prediction of arbitrary sequences 2. Finite

509 views • 33 slides
Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and

Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and

Stream Chaining: Exploiting Multiple Levels of Correlation in Data Prefetching Pedro Daz and Marcelo Cintra University of Edinburgh http://www.homepages.inf.ed.ac.uk/mc/Projects/CELLULAR Outline Motivation Correlation and Localization

642 views • 43 slides
Esta stablishing Service Func ncti tion Ch Chaining Arc rchite tecture on on OpenStack for

Esta stablishing Service Func ncti tion Ch Chaining Arc rchite tecture on on OpenStack for

Esta stablishing Service Func ncti tion Ch Chaining Arc rchite tecture on on OpenStack for for Inte ternet t VNF Use-case A A joint research ch &amp; PoC oC activit itie ies among AP APAC(Asia ia-Pacif ific ic) ) Telc lco Se

644 views • 40 slides
Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J.

Rounding and Chaining LLL: Finding Faster Small Roots of Univariate Polynomial Congruences J. Bi, J-S. Coron, J-C. Faug` ere, P . Nguyen, G. Renault, R. Zeitoun Public Key Cryptography 2014 26-28 March, 2014 - Buenos Aires, Argentina

613 views • 36 slides
Factors influencing Forward and Backward chaining Is the goal precisely known? Fan-in and

Factors influencing Forward and Backward chaining Is the goal precisely known? Fan-in and

Factors influencing Forward and Backward chaining Is the goal precisely known? Fan-in and Fan-out of rules. Rule Structure R 1 : P 1 ^ P 2 ^ P 3 ^ . . . . . . ^ Pn Q 1 R 2 : P 1 ^ P 2 ^ P 3 ^ . . . . . . ^ Pn Q 2 . R k : P 1 ^

46 views • 4 slides

More recommend